Atlassian HipChat breach prompts mass password reset

Distributors

An attack on a third-party library affecting Atlassian’s HipChat team chat platform that may have seen users’ information compromised has prompted a mass password reset for the company’s services.

Atlassian’s chief security officer, Ganesh Krishan, sent an email to users on 25 April, revealing that the company’s security intelligence team had detected an incident affecting the platform.

The incident may have resulted in unauthorised access to some user account information, including name, email address and hashed password.

According to a blog post published by Krishan on 24 April, the incident involved a vulnerability in a popular third-party library used by HipChat.com.

“In our security investigation, we found no evidence of unauthorised access to financial and/or credit card information,” Krishan said. “We can also confirm that we have found no evidence of other Atlassian systems or products being affected.”

However, the company conceded that the platform’s room metadata (including room name and room topic) may have also been accessed.

“For a small number of instances (less than 0.05 per cent), messages and content in rooms may have been accessed,” Krishan said. “We are contacting and will work closely with these customers.

“For the vast majority of instances (more than 99.95 per cent), we have found no evidence that messages or content in rooms have been accessed,” he said.

The company said that, as a precaution, it had invalidated passwords on all HipChat-connected user accounts and sent users instructions on how to reset their password.

As an added precaution, the company also reset users’ Atlassian ID, which is used to access all Atlassian services, including HipChat.

“If you have been using your Atlassian ID password on other sites, services or online accounts, we recommend that you immediately change those passwords as well,” Krishan sauid.

While HipChat Server uses the same third-party library that was compromised, it is generally deployed in a way that is expected to minimise the risk of the type of attack resulting in this particular incident, according to Krishan.

“We are preparing an update for HipChat Server that will be shared with customers directly through the standard update channel,” he said. “We are confident we have isolated the affected systems and closed any unauthorised access.

Slideshows

ARN Connect - How can partners create customer value through cloud and security?

This exclusive ARN Connect event, in association with Juniper Networks and Westcon-Comstor, deep dived into the key customer priorities during the next 12 months, outlining emerging partner opportunities while drawing up a blueprint for cloud and security success.

Selling beyond the CIO – How partners can influence the new breed of tech buyers

This ARN Roundtable, in association with Oracle, highlighted the emergence of a new breed of technology buyer, assessing how partners can engage outside of IT, and the skills required to sell across new business units.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.